Global Protect Slowness

Reply
L1 Bithead

Global Protect Slowness

We recently installed a PA-3020 on a 1G circuit and are experiencing very low speeds when clients are conecting in using GlobalProtect. When connecting in from home on a 20M connection we are seeing speed drops down to a max of 5M (mostly lower). We do not have QoS set up for the tunnel so they shouldn't be limited on the PA. We are only seeing the drop in bandwidth with the GlobalProtect tunnel, we have a site-to-site VPN conneciton using a second tunnel that is not seeing any slowdown. Are there any configurations or settings that we should check that might be limiting the conneciton speeds when using GlobalProtect? I have disabled IPSec and tested and we had the same results

 

L5 Sessionator

If the global protect negotiate on SSL it will be slower than IPSec. Test with IPSec only. Check how the users are connecting to global protect through ipsec or SSL.

L3 Networker

My users are all in SSL only. WIll we get any benefits on IPSec? Also, will GP ever use UDP as well? 

L3 Networker

GlobalProtect in IPSEC mode is UDP.

 

What I have found is that performance isn't always the greatest and not sure why it can't push more throughput, but basically my testing has been like this:

 

GlobalProtect IPSEC about even with Cisco AnyConnect SSL VPN which shouldnt be the case. maybe IPSEC being slightly faster sometimes.

 

then GlobalPortect SSL VPN dead last, definitely a noticeable difference.

 

Definitely would like to see some optimization in this area, both on the firewall end and the client. along with a user interface refresh.

L1 Bithead

I have connected using IPSec and SSL and both have speeds about the same when connecting.

 

In order to force the user to connect using SSL I turned off IPSec under the GlobalProtect > Gateway > Client Config > Tunnel Settings. Is there way to only allow IPSec and turn off SSL completely?

L3 Networker

what version firewall are you running and which version client?

 

No way to disable SSL VPN altogether. make sure you look at client details page to see if you are using IPSEC or SSL.

L1 Bithead

PA Verison - 7.0.4

GP Version - 2.3.3

L7 Applicator

GlobalProtect will try IPSec (UDP port 4501) and if it fails then it will fall back to SSL (TCP port 443).

You can't turn off SSL.

IPSec will definitely give bandwidth benefit.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
L1 Bithead

Is there anything other than using IPSec instead of SSL that might be causing speed issues?I used both IPSec and SSL and had roughly the same speeds. Is there a common setting that we might have missed when setting up the tunnel? We followed the steps outlined in the GlobalProtect Admin guide to set up the tunnel. 

L5 Sessionator

Hi,

 

did you check your pcaps from the clients... could you be having some horrible overhead, or lots of drops/retransmissions? You should see significant difference in performance between IPsec and SSL, anyhow.

Have you tried looking at IPsec and Tunneling Resource List to check if any of the documents for configuration/troubleshooting would reveal cause?

Also, have you tested it with GP agent version 3.0.0? It should be out since a few days ago.

 

Best regards,

 

Luciano

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!